Mobile devices such as smartphones, tablets and including wearable computing devices such as Google® Glass are vulnerable to being used by unauthorized individuals or impostors all the time. Whether it is a thief who steals it from a purse on a subway, a romantic partner checking text messages for signs of an affair, or a child looking to play games, mobile device users run serious risks when unauthorized users or impostors obtain access to such devices.
Various prior art and prior use mechanisms are utilized in mobile devices to protect against use by unauthorized individuals or impostors. For example, all smartphones have lock screens that are protected by a variety of mechanisms including PINs, passwords, gestures, and fingerprints. While lockscreens can provide significant protections when properly used, they can also degrade the usability of a device by inserting an unwanted step—the authentication step—between the user and their objective of using their phone at all times of the day and night. The burden is so significant that many users forego the protection of lock screens, as explained in “Beyond the pin: Enhancing user authentication for mobile devices” by S. Furnell, N. Clarke, and S. Karatzouni, Computer fraud & security, 2008(8):12-17, 2008; and “Authentication of users on mobile telephones—a survey of attitudes and practices” by N. L. Clarke and S. M. Furnell, Computers & Security, 24(7):519-527, 2005.
Even when users do enable these mechanisms, users may configure these mechanisms using weak credentials or so the device locks itself infrequently. Further, the protection provided is also incomplete, as some unauthorized users or impostors will know how to bypass the lock screen.
Implicit authentication mechanisms provide a solution to overcome these problems by allowing the mobile device to identify the user without the user doing any explicit authentication actions. Several researchers have proposed implicit authentication schemes for smartphones based upon how users interact with a touchscreen. Examples include the systems described in “Continuous mobile authentication using touchscreen gestures” by Feng et al, 2012 IEEE Conference on Technologies for Homeland Security (HST), pp. 451-456, 2012; and “Touchalytics: On the applicability of touchscreen input as a behavioral biometric for continuous authentication” by Frank et al, IEEE Transactions on Information Forensics and Security, vol. 8, no. 1, pp. 136-148, 2013. Systems disclosed by BehviouSec™ attempt to ensure that the correct person is entering a password pattern or a Personal Identification Number (PIN).
Other schemes have been proposed based on how users hold the phone, such as the system described in “A new non-intrusive authentication method based on the orientation sensor for smartphone users” by C.-C. Lin, D. Liang, C.-C. Chang, and C.-H. Yang in 2012 IEEE Sixth International Conference on Software Security and Reliability (SERE), pages 245-252. IEEE 2012.
Other schemes have been proposed based on gait, such as the system described in Derawi, Mohammad Omar, et al. “Unobtrusive user-authentication on mobile phones using biometric gait recognition.” Intelligent Information Hiding and Multimedia Signal Processing (IIH-MSP), 2010 Sixth International Conference on. IEEE, 2010.
To date, however, commercially available prior art and prior use systems have offered only improved security guarantees, such as by ensuring the correct person is entering a PIN or password pattern, rather than the improved usability of a non-intrusive authentication system.
While results from these prior art systems show that it is possible to distinguish users using mobile device sensors and machine learning algorithms, these prior art systems do not use appropriate algorithms or the appropriate evaluation methodologies that are required for building and assessing a workable implicit authentication scheme.
There are several requirements for practical mobile device implicit authentication mechanisms, which will be discussed in the section titled “Requirements” below.
A swipe-based implicit authentication scheme that addresses the requirements is then set out in the section titled “Approach”.